I have been seeing a lot of posts on Reddit and other forums of mostly students setting up an AWS account only for them to be hacked and account owner being stuck with a significant bill.<p>Most likely scenario is hackers are trying leaked username/password pairs from other breaches against AWS and gaining access to those accounts.<p>They then spin up EC2 instances in all sorts of regions on the compromised accounts<p>PSA set up MFA on your account if you haven't already.<p>Some examples:<p><a href="https://www.reddit.com/r/aws/comments/rv3lm5/i_lost_55k_from_hackers/" rel="nofollow">https://www.reddit.com/r/aws/comments/rv3lm5/i_lost_55k_from...</a><p><a href="https://www.reddit.com/r/aws/comments/rvbncu/account_hacked_unable_to_sign_in_4000_in/" rel="nofollow">https://www.reddit.com/r/aws/comments/rvbncu/account_hacked_...</a><p><a href="https://www.reddit.com/r/aws/comments/qx8i02/got_hacked_and_found_a_30k_bill_please_turn_on/" rel="nofollow">https://www.reddit.com/r/aws/comments/qx8i02/got_hacked_and_...</a><p><a href="https://www.reddit.com/r/aws/comments/rv4mnq/my_account_was_hacked_and_now_my_bill_is_over/" rel="nofollow">https://www.reddit.com/r/aws/comments/rv4mnq/my_account_was_...</a>
I deleted my AWS account yesterday. It is obviously catered towards large organisations - very complicated tools and pricing that I couldn't really fit into my use case. I tried to just shut down the services that were using money but wasn't even sure I had found them all so I just closed the whole account.<p>I don't even like the idea of any of this stuff. I want to run my own little raspberry pi server or whatever, it seems much more fun and startupish than aws, which appears to be all of the corporate stuff I left (AIMs etc). This is funny because I remember AWS being thought of as great for "just experimenting with stuff".
MFA needs to be forced on by default for all new accounts created with the UI. It is utterly irresponsible for AWS to not do this. People always counter with "you should know better!" But AWS markets itself to college kids. People were all up in arms and Robinhood allowing 18 year olds to create accounts which could result in unbounded losses, but AWS somehow gets a pass?
@aws, why not mandate MFA for a root user? in child org accounts where this is less feasible, you could allow access to the root user only from the parent account, no direct login at all.
I migrated off AWS in December and closed my account. With the outages, they are likely looking at revenue shortfalls. Outages don't scare me, but their billing practices are already uncomfortable. This may make them prone to be more stingy about bill forgiveness. Bill forgiveness is inherent in the unsafe billing model which makes even having the account open even more of a huge liability.<p>I'm done.
Good reminder to completely close my AWS account. I have TOTP MFA on it but having a AWS account that had the same root login as my Amazon retail account was risky and a mistake from the beginning. Luckily I haven't used it for anything in years so it was as simple as following the "Close account" procedure.<p>I'll use Digital Ocean for anything small if I need to spin up a server in the future.
This happened to me. I had a 9k bill and I got hacked and stuck with it on my personal account. I gave AWS $100k business and that did not matter through being a decision maker at a startup I work at. AWS does not care about your business unless you are going to IPO. True story. Feel free to message me at Sgargconsulting --> GMAIL
This happened to me, the bill was so ridiculous that I wasnt even bothered by it. It got voided by aws support as predicted.<p>MFA does not prevent this. Its IAM keys.
I find it hard to believe AWS would try to suck blood from a stone. I’m willing to believe they get a 55k bill, but do they actually end up paying those?
Thanks! You've reminded me to close my hobby AWS account. I will do that now.<p>Edit: Done! Was quite easy. Luckily I had no services running or needed.
their hardware MFA functionality is worse than useless<p>it only permits a single hardware token to be registered to an account<p>so good luck if you misplace or break your hardware token
Well, yeah, of course they're stuck with the bill. I feel like people think AWS is supposed to have infinite guard rails regardless of what the engineers using it do, like when people write code that infinite loops and it blows up their bill.<p>AWS gives money back in a lot of cases that I think they legitimately aren't responsible for.<p>I don't know that other cloud providers are going to do any better - an attacker who has your credentials and spins up 10's of thousands of dollars of infra will cost you thousands of dollars.<p>I'll certainly echo the advice for 2FA but, more importantly, use a strong, unique password.
I know it's easy to get lazy about checking your AWS billing dashboard but I do it once a week - you can set up alerts and whatnot but I find it easier just to go look at the current usage to make sure nothing has gone awry.
The fact that AWS has no way to limit billing seems insane to me. Your only recourse for an accidental (or malicious) overcharge is beg customer support. It's an incredible liability.